Facebook allows users to list which gender of partner they're "interested in." But do you want Facebook's advertisers to know if you're gay? A Microsoft researcher has found a loophole which could secretly reveal a gay user's sexuality to advertisers.

It's no secret that Facebook, like many other online services, targets ads to different groups of users based on demographic data. But using a sensitive category like sexuality to target advertising—which Facebook apparently does—can lead to troubling privacy issues.

For a recent paper, researchers from Microsoft and Germany's Max Planck Institute wanted to see if Facebook targeted ads based on sexuality, so they created six fake profiles: two straight men, two straight women, a gay man and a lesbian. (Besides gender and sexuality, the profiles were indistinguishable.) Then they observed what ads each profile was shown over a week's time.

They found that the ads displayed on the gay man's profile differed substantially from those on the straight one. (The ads shown on the lesbian profile only differed slightly from the straight woman.) This isn't surprising, since a gay bar doesn't want to place its ads on the profiles of straight men. But many ads targeted exclusively to gay men had nothing to do with, and made no mention of, their sexuality—for example, one ad hawked a Florida nursing school. (Half of ads targeted to gay men didn't mention the word "gay" in the text.)

The paper explains why this is a concern:

The danger with such ads, unlike the gay bar ad where the target demographic is blatantly obvious, is that the user reading the ad text would have no idea that by clicking it he would reveal to the advertiser both his sexual-preference and a unique identiﬁer (cookie, IP address, or email address if he signs up on the advertiser's site).

Cookies and IP addresses aside, let's say you click on that ad for the nursing school that targeted its advertising only to gay men. You fill out an application and mention that you saw their ad on Facebook. The school now knows you're a man who is interested in men, even if you've hidden your sexual preference using Facebook's privacy settings. See why this might be a problem?

Of course, if you're comfortable enough to put it on your Facebook profile, you're probably OK with some people knowing you're gay. But whereas Facebook's privacy settings allow you to choose who can see your sexual preference, you have no control over what information Facebook uses to target advertising. Facebook's privacy policy states that it can even use "information you may have decided not to show other users (such as your birth year or other sensitive personal information or preferences) to select the appropriate audience for... advertisements." Anything you put on your profile is fair game.

Security researcher Christopher Soghoian suggests two possible fixes for the problem: 1) Not allowing advertisers to target based on sexuality (or other sensitive information like religion or political affiliation) or 2) Notifying users that an ad has been targeted to them based on a certain characteristic. However, he writes, "I suspect that neither option is going to be something that Facebook is going to want to embrace."

Facebook's company line is that it doesn't shares your personal information with advertisers, and the only information it uses to target ads is anonymous. But coming on the heels of revelations that Facebook leaked user information to advertisers through third-party apps, this latest snafu underscores how nearly impossible it is for Facebook to both profit from your personal information and to guarantee it will never be shared without your permission.